firewall: T8761: Reintroduce VRF-interface names in generated firewall config, aswell as dependents

Author: davi2367

data/config-mode-dependencies/vyos-1x.json

@@ -9,42 +9,72 @@
     },
     "interfaces_bonding": {
         "ethernet": ["interfaces_ethernet"],
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_bridge": {
         "vxlan": ["interfaces_vxlan"],
         "wlan": ["interfaces_wireless"],
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
+    },
+    "interfaces_dummy": {
+        "firewall": ["firewall"]
     },
     "interfaces_ethernet": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_geneve": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_l2tpv3": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_macsec": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
+    },
+    "interfaces_openvpn": {
+        "firewall": ["firewall"]
+    },
+    "interfaces_pppoe": {
+        "firewall": ["firewall"]
     },
     "interfaces_pseudo_ethernet": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
+    },
+    "interfaces_sstpc": {
+        "firewall": ["firewall"]
+    },
+    "interfaces_tunnel": {
+        "firewall": ["firewall"]
     },
     "interfaces_virtual_ethernet": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
+    },
+    "interfaces_vti": {
+        "firewall": ["firewall"]
     },
     "interfaces_vxlan": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_wireless": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_wwan": {
-        "static_arp": ["protocols_static_arp"]
+        "static_arp": ["protocols_static_arp"],
+        "firewall": ["firewall"]
     },
     "interfaces_wireguard": {
-        "vxlan": ["interfaces_vxlan"]
+        "vxlan": ["interfaces_vxlan"],
+        "firewall": ["firewall"]
     },
     "load_balancing_wan": {
         "conntrack": ["system_conntrack"]

data/templates/firewall/nftables-zone.j2

@@ -9,9 +9,14 @@
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' not in zone_conf %}
 {%         if 'interface' in zone_conf.member %}
-        oifname { {{ zone_conf.member.interface | quoted_join(',') }} } counter jump VZONE_{{ zone_name }}
+        oifname { {{ zone_conf.member.interface | quoted_join(",") }} } counter jump VZONE_{{ zone_name }}
 {%         endif %}
 {%         if 'vrf' in zone_conf.member %}
+{%             for vrf_name in zone_conf.member.vrf %}
+{%                 if zone_conf['vrf_interfaces'][vrf_name] | length > 0 %}
+        oifname { {{ zone_conf['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter jump VZONE_{{ zone_name }}
+{%                 endif %}
+{%             endfor %}
         oifname { {{ zone_conf.member.vrf | quoted_join(",") }} } counter jump VZONE_{{ zone_name }}
 {%         endif %}
 {%     endif %}
@@ -71,6 +76,12 @@
         oifname { {{ zone[from_zone].member.interface | quoted_join(",") }} } counter return
 {%                 endif %}
 {%                 if 'vrf' in zone[from_zone].member %}
+{%                     for vrf_name in zone[from_zone].member.vrf %}
+{%                         if zone[from_zone]['vrf_interfaces'][vrf_name] | length > 0 %}
+        oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter return
+{%                         endif %}
+{%                     endfor %}
         oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
         oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter return
 {%                 endif %}
@@ -84,9 +95,13 @@
 {%                 endif %}
 {%                 if 'vrf' in zone[from_zone].member %}
 {%                     for vrf_name in zone[from_zone].member.vrf %}
-        oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter jump NAME{{ suffix }}_{{ from_conf[fw_name] }}
-        oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter return
+{%                         if zone[from_zone]['vrf_interfaces'][vrf_name] | length > 0 %}
+        oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf[fw_name] }}
+        oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter return
+{%                         endif %}
 {%                     endfor %}
+        oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter return
 {%                 endif %}
 {%             endfor %}
 {%         endif %}

smoketest/scripts/cli/test_firewall.py

@@ -1143,8 +1143,13 @@ def test_zone_with_vrf(self):
         self.cli_set(['vrf', 'name', 'VRF-1', 'table', '101'])
         self.cli_set(['vrf', 'name', 'VRF-2', 'table', '102'])
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'vrf', 'VRF-1'])
-        self.cli_set(['interfaces', 'vti', 'vti1', 'vrf', 'VRF-2'])
+        self.cli_set(['interfaces', 'ethernet', 'eth0', 'vif', '10', 'vrf', 'VRF-1'])
+        self.cli_set(['interfaces', 'ethernet', 'eth3', 'vif-s', '10', 'vrf', 'VRF-1'])
+        self.cli_set(['interfaces', 'ethernet', 'eth3', 'vif-s', '20', 'vif-c', '30', 'vrf', 'VRF-1'])
+        self.cli_set(['interfaces', 'vti', 'vti1', 'vrf', 'VRF-1'])
+        self.cli_set(['interfaces', 'vti', 'vti2', 'vrf', 'VRF-2'])
 
+        # commit the config
         self.cli_commit()
 
         nftables_search = [
@@ -1155,8 +1160,10 @@ def test_zone_with_vrf(self):
             ['chain VYOS_ZONE_FORWARD'],
             ['type filter hook forward priority filter + 1'],
             ['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
+            ['oifname { "eth0", "eth0.10", "eth3.10", "eth3.20.30", "vti1" }', 'counter packets', 'jump VZONE_ZONE1'],
             ['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
             ['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
+            ['oifname "vti2"', 'counter packets', 'jump VZONE_ZONE2'],
             ['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'],
             ['chain VYOS_ZONE_LOCAL'],
             ['type filter hook input priority filter + 1'],
@@ -1190,8 +1197,10 @@ def test_zone_with_vrf(self):
             ['chain VYOS_ZONE_FORWARD'],
             ['type filter hook forward priority filter + 1'],
             ['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
+            ['oifname { "eth0", "eth0.10", "eth3.10", "eth3.20.30", "vti1" }', 'counter packets', 'jump VZONE_ZONE1'],
             ['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
             ['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
+            ['oifname "vti2"', 'counter packets', 'jump VZONE_ZONE2'],
             ['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'],
             ['chain VYOS_ZONE_LOCAL'],
             ['type filter hook input priority filter + 1'],
@@ -1203,6 +1212,7 @@ def test_zone_with_vrf(self):
             ['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'],
             ['chain VZONE_LOCAL_OUT'],
             ['oifname "vtun66"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
+            ['oifname "vti2"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
             ['oifname "VRF-2"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
             ['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'],
             ['chain VZONE_ZONE1'],
@@ -1218,6 +1228,29 @@ def test_zone_with_vrf(self):
         self.verify_nftables(nftables_search, 'ip vyos_filter')
         self.verify_nftables(nftables_search_v6, 'ip6 vyos_filter')
 
+        # change memberships in vrf plus delete and add subifs
+        self.cli_set(['interfaces', 'vti', 'vti1', 'vrf', 'VRF-2'])
+        self.cli_delete(['interfaces', 'ethernet', 'eth0', 'vif', '10'])
+        self.cli_delete(['interfaces', 'ethernet', 'eth3', 'vif-s', '10'])
+        self.cli_delete(['interfaces', 'ethernet', 'eth3', 'vif-s', '20', 'vif-c', '30'])
+        self.cli_set(['interfaces', 'ethernet', 'eth0', 'vif', '20', 'vrf', 'VRF-1'])
+        self.cli_set(['interfaces', 'ethernet', 'eth3', 'vif-s', '20', 'vrf', 'VRF-1'])
+        self.cli_set(['interfaces', 'ethernet', 'eth3', 'vif-s', '20', 'vif-c', '40', 'vrf', 'VRF-1'])
+        self.cli_commit()
+
+        # make som verifications to ensure the interface swapped vrf
+        nftables_search = [
+            ['oifname { "eth0", "eth0.20", "eth3.20", "eth3.20.40" }', 'counter packets', 'jump VZONE_ZONE1'],
+            ['oifname { "vti1", "vti2" }', 'counter packets', 'jump VZONE_ZONE2'],
+        ]
+
+        nftables_search_v6 = [
+            ['oifname { "eth0", "eth0.20", "eth3.20", "eth3.20.40" }', 'counter packets', 'jump VZONE_ZONE1'],
+            ['oifname { "vti1", "vti2" }', 'counter packets', 'jump VZONE_ZONE2'],
+        ]
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+        self.verify_nftables(nftables_search_v6, 'ip6 vyos_filter')
+
     def test_zone_without_member(self):
         self.cli_set(['firewall', 'zone', 'wan', 'default-action', 'drop'])
         error_message = 'Zone "wan" has no interfaces and is not the local zone'

src/conf_mode/firewall.py

@@ -138,7 +138,9 @@ def get_config(config=None):
                 if 'vrf' in local_zone_member:
                     local_zone_conf['vrf_interfaces'] = {}
                     for vrf_name in local_zone_member['vrf']:
-                        local_zone_conf['vrf_interfaces'][vrf_name] = ','.join(get_vrf_members(vrf_name))
+                        local_zone_conf['vrf_interfaces'][vrf_name] = get_vrf_members(
+                            vrf_name
+                        )
                 continue
 
             local_zone_conf['from_local'] = {}

src/conf_mode/interfaces_bonding.py

@@ -171,6 +171,11 @@ def get_config(config=None):
     if 'static_arp' in bond:
         set_dependents('static_arp', conf)
 
+    # Check vrf membership, to ensure firewall is updated
+    if is_node_changed(conf, base + [ifname, 'vrf']):
+        bond.update({'vrf_changed': {}})
+        set_dependents('firewall', conf)
+
     bond['vpp_ifaces'] = cli_ifaces_list(conf)
 
     return bond
@@ -298,7 +303,11 @@ def apply(bond):
     else:
         b.update(bond)
 
-    if dict_search('member.interface_remove', bond) or 'static_arp' in bond:
+    if (
+        dict_search('member.interface_remove', bond)
+        or 'static_arp' in bond
+        or 'vrf_changed' in bond
+    ):
         try:
             call_dependents()
         except ConfigError:

src/conf_mode/interfaces_bridge.py

@@ -18,6 +18,7 @@
 
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
+from vyos.configdict import is_node_changed
 from vyos.configdict import node_changed
 from vyos.configdict import is_member
 from vyos.configdict import is_source_interface
@@ -129,6 +130,11 @@ def get_config(config=None):
     if 'static_arp' in bridge:
         set_dependents('static_arp', conf)
 
+    # Check vrf membership, to ensure firewall is updated
+    if is_node_changed(conf, base + [ifname, 'vrf']):
+        bridge.update({'vrf_changed': {}})
+        set_dependents('firewall', conf)
+
     bridge['vpp_ifaces'] = cli_ifaces_list(conf)
 
     return bridge
@@ -233,7 +239,7 @@ def apply(bridge):
         if iface.startswith(('vxlan', 'wlan')) and interface_exists(iface)
     ]
 
-    if interfaces_need_update or 'static_arp' in bridge:
+    if interfaces_need_update or 'static_arp' in bridge or 'vrf_changed' in bridge:
         try:
             call_dependents()
         except ConfigError:

src/conf_mode/interfaces_dummy.py

@@ -18,6 +18,9 @@
 
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
+from vyos.configdict import is_node_changed
+from vyos.configdep import set_dependents
+from vyos.configdep import call_dependents
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
@@ -37,7 +40,12 @@ def get_config(config=None):
     else:
         conf = Config()
     base = ['interfaces', 'dummy']
-    _, dummy = get_interface_dict(conf, base)
+    ifname, dummy = get_interface_dict(conf, base)
+
+    # Check vrf membership, to ensure firewall is updated
+    if is_node_changed(conf, base + [ifname, 'vrf']):
+        set_dependents('firewall', conf)
+
     return dummy
 
 def verify(dummy):
@@ -63,6 +71,9 @@ def apply(dummy):
     else:
         d.update(dummy)
 
+    # run the dependents
+    call_dependents()
+
     return None
 
 if __name__ == '__main__':

src/conf_mode/interfaces_ethernet.py

@@ -195,6 +195,22 @@ def get_config(config=None):
     if 'static_arp' in ethernet:
         set_dependents('static_arp', conf)
 
+    # Check vrf membership, to ensure firewall is updated
+    # Parent interface
+    if is_node_changed(conf, base + [ifname, 'vrf']):
+        set_dependents('firewall', conf)
+    # vif interface
+    for vif in conf.list_nodes(base + [ifname, 'vif']):
+        if is_node_changed(conf, base + [ifname, 'vif', vif, 'vrf']):
+            set_dependents('firewall', conf)
+    # q-in-q interface
+    for vif_s in conf.list_nodes(base + [ifname, 'vif-s']):
+        if is_node_changed(conf, base + [ifname, 'vif-s', vif_s, 'vrf']):
+            set_dependents('firewall', conf)
+        for vif_c in conf.list_nodes(base + [ifname, 'vif-s', vif_s, 'vif-c']):
+            if is_node_changed(conf, base + [ifname, 'vif-s', vif_s, 'vif-c', vif_c, 'vrf']):
+                set_dependents('firewall', conf)
+
     return ethernet
 
 def verify_speed_duplex(ethernet: dict, ethtool: Ethtool):
@@ -441,8 +457,9 @@ def apply(ethernet):
         e.remove()
     else:
         e.update(ethernet)
-    if 'static_arp' in ethernet:
-        call_dependents()
+
+    # run the dependents
+    call_dependents()
 
     vpp_iface_config = dict_search(f'vpp.settings.interface.{ifname}', ethernet)
     if vpp_iface_config is not None and is_systemd_service_running('vpp.service'):

src/conf_mode/interfaces_geneve.py

@@ -57,6 +57,10 @@ def get_config(config=None):
     if 'static_arp' in geneve:
         set_dependents('static_arp', conf)
 
+    # Check vrf membership, to ensure firewall is updated
+    if is_node_changed(conf, base + [ifname, 'vrf']):
+        set_dependents('firewall', conf)
+
     return geneve
 
 def verify(geneve):
@@ -96,8 +100,8 @@ def apply(geneve):
         g = GeneveIf(**geneve)
         g.update(geneve)
 
-    if 'static_arp' in geneve:
-        call_dependents()
+    # run the dependents
+    call_dependents()
 
     return None
 

src/conf_mode/interfaces_l2tpv3.py

@@ -20,6 +20,7 @@
 from vyos.configdep import set_dependents
 from vyos.configdep import call_dependents
 from vyos.configdict import get_interface_dict
+from vyos.configdict import is_node_changed
 from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
@@ -62,6 +63,10 @@ def get_config(config=None):
     if 'static_arp' in l2tpv3:
         set_dependents('static_arp', conf)
 
+    # Check vrf membership, to ensure firewall is updated
+    if is_node_changed(conf, base + [ifname, 'vrf']):
+        set_dependents('firewall', conf)
+
     return l2tpv3
 
 def verify(l2tpv3):
@@ -106,8 +111,8 @@ def apply(l2tpv3):
         l = L2TPv3If(**l2tpv3)
         l.update(l2tpv3)
 
-    if 'static_arp' in l2tpv3:
-        call_dependents()
+    # run the dependents
+    call_dependents()
 
     return None